Missing Release of Resource after Effective Lifetime Affecting wasmtime-wasi package, versions <24.0.10>=25.0.0 <36.0.11>=37.0.0 <44.0.3>=45.0.0 <45.0.2
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-RUST-WASMTIMEWASI-17400161
- published22 Jun 2026
- disclosed15 Jun 2026
- creditalexcrichton
Introduced: 15 Jun 2026
NewCVE-2026-54786 (opens in a new tab)Common Vulnerabilities and Exposures (CVE) are common identifiers for publicly known security vulnerabilities
Common Weakness Enumeration (CWE) is a category system for software weaknesses
How to fix?
Upgrade wasmtime-wasi to version 24.0.10, 36.0.11, 44.0.3, 45.0.2 or higher.
Overview
wasmtime-wasi is a Crate defining the Wasi type for Wasmtime, which represents a WASI instance which may be added to a linker.
Affected versions of this package are vulnerable to Missing Release of Resource after Effective Lifetime via the fd_renumber process. An attacker can cause unintended resource retention and potential information disclosure by manipulating file descriptor renumbering operations.